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Abstract — A secret key agreement framework between three 
users is considered in which each of the users 1 and 2 intends 
to share a secret key with user 3 and users 1 and 2 are 
eavesdroppers with respect to each other. There is a generalized 
discrete memoryless multiple access channel (GDMMAC) from 
users 1 and 2 to user 3 where the three users receive outputs from 
the channel. Furthermore, there is a broadcast channel (BC) from 
user 3 to users 1 and 2. Secret key sharing is intended where 
GDMMAC and BC can be successively used. In this framework, 
an inner bound of the secret key capacity region is derived. 
Moreover, for a special case where the channel inputs and outputs 
of the GDMAC and the BC form Markov chains in some order, 
the secret key capacity region is derived. Also the results are 
discussed through a binary example. 

I. Introduction 

Ahlswede and Csiszar (TJ and Maurer (2) introduced the 
problem of secret key sharing across the broadcast channel 
where, in addition to the broadcast channel, there is a noiseless 
public channel for communication between the transmitter 
and the receiver through which, all communications can be 
overheard by the eavesdropper. Secret key sharing over a 
pair of broadcast channels between two legitimate users in 
the presence of an eavesdropper was investigated in [4|. Fur- 
thermore, secrecy has been investigated in other frameworks 
where a user can be a legitimate user and simultaneously 
an eavesdropper. The broadcast channel with two confidential 
messages is investigated in |9j in which the transmitter intends 
to send independent confidential messages to two receivers 
where the receivers are eavesdroppers of each other's message. 
The generalized multiple access channel with two confidential 
messages was investigated in (5) where each of the two 
transmitters intends to send his message to the receiver and at 
the same time obtains information about the other transmitter's 
message through the received output from the channel. Secret 
key sharing over generalized multiple access channel has been 
investigated in |6 | and |7 | where each of the two transmitters 
wishes to share a secret key with the receiver while keeping it 
concealed from the other transmitter. In [6|, there is a nioseless 
public channel from the transmitters to the receiver in addition 
to the generalized multiple access channel. In (TJ, there is a 
noiseless public channel from the receiver to the transmitters 
in such a way that the transmitters send information to the 
receiver through the generalized multiple access channel and 



the receiver communicates with the transmitters via the public 
channel. 

We consider secret key sharing in a framework similar to 
1 7 1 but in more conformity with real communication scenarios. 
There is a generalized discrete memoryless multiple access 
channel (GDMMAC) in the forward direction from users 1 
and 2 to user 3 where in addition to user 3, the other users 
receive noisy outputs from the channel. Furthermore, instead 
of a public channel from user 3 to users 1 and 2 as in 17], 
there is a broadcast channel (BC) in the backward direction 
from user 3 to users 1 and 2. In this framework, users 1 and 

2 intend to share secret keys with user 3 while users 1 and 2 
are eavesdroppers with respect to each other. Users 1 and 2 
send information to user 3 over the GDMMAC in the forward 
direction and user 3 answers them over the BC in the backward 
direction. The BC in the backward direction is used by user 3 
to send feedback from the received output from the GDMMAC 
and also the inherent secrecy of the BC increases the secret key 
rates. This framework can be realized in a wireless network 
where users 1 and 2, as network users, can communicate with 
user 3, as a base station, through uplink (GDMMAC) and user 

3 can communication with them through downlink (BC) and 
each of the network useres wishes to share a secret key with 
the base station hidden from the other user. We have derived 
an inner bound of the secret key capacity region. For a special 
case where the channel inputs and outputs of the GDMMAC 
and the BC form Markov chains in some orders, the secret 
key capacity region is obtained. Also a binary example is 
introduced and the bilateral effect of increasing the channel 
noise from user 3 to user 1 in the backward direction on the 
secret key capacity region is discussed. 

The paper is organized as follows: in Section II, the prelim- 
inaries of our secret key framework are given. An inner bound 
of the secret key capacity region is given in Sections III. The 
secret key capacity for a special case and a binary example are 
presented in Section IV. The paper is concluded in Section V. 
Proofs of the results are presented in Appendices. In the paper, 
a random variable is denoted by an upper case letter and its 
realization is denoted by the corresponding lower case letter. 
We use Xf to indicate vector A^ 2 , A^jv), and X^ 

to indicate vector (Xjj, Xjj+i, ...,Xi k), where i denotes the 
index of the corresponding user. 



II. Preliminaries 

Users 1, 2 and 3 communicate over a pair of noisy channels. 
There is a GDMMAC in the forward direction from users 1 
and 2 to user 3 and a BC from user 3 to users 1 and 2 in the 
backward direction. In the forward direction, users 1 and 2 
govern inputs X\j and X 2 f of the GDMMAC with probability 
distribution PY lf ,Y 2f ,Y 3f \x lf ,x 2f , and outputs Yi f ,Y 2f and Y 3f 
are seen by users 1, 2 and 3, respectively. In the backward 
direction, user 3 governs input X 3 b of the BC with probability 
distribution Py lb y 26 |x 3i) , and outputs Yxb and Y 2b are seen by 
users 1 and 2, respectively. Users 1 and 2 intend to share secret 
keys with user 3 where user 1 is the eavesdropper of user 2's 
key and vice versa. For simplicity, it is assumed that, like in 
Q, each transmitter uses the channel outputs to eavesdrop and 
not as inputs to the encoder when using the GDMMAC. Our 
results can be easily generalized to the situation where the 
channel outputs at the transmitters are used as inputs to the 
encoders of the GDMMAC as in fT0| , however it is beyond the 
scope of the present work. We represent the formal definition 
of the described secret key sharing as shown in Fig.l. 

Step 1) 71/ uses of the GDMMAC: Users 1 and 2 randomly 
generate independent keys K\f and K 2 f, respectively, and 
determine the i-th channel inputs Xy j and X 2 j\i to the 
GDMMAC for i = 1,2, ...,n/ as stochastic mappings of the 
corresponding keys. Subsequently, the outputs Yif^Ywi and 
Ysf t i are observed by users 1, 2 and 3, respectively. User 3 
estimates keys K~i / and K 2 f as deterministic function of . 

Step 2) rib uses of the BC: User 3 generates keys K lb and 
K 2 b, as stochastic functions of Y 3 jf to share with users 1 and 
2, respectively, and then, determines the i-th channel input 
X$b.i to the BC for i = 1,2, .... rib as a stochastic mapping of 
Y a J . By receiving Y™ b b and Y^ h b over the BC by users 1 and 
2, estimates K\ b and K 2 b are produced by the corresponding 
users. 

After these steps, the key pair (i^i/, K lb ) is shared between 
user 1 and user 3 and the key pair (K 2 f,K 2 b) is shared 
between user 2 and user 3. All the above keys take values 
in some finite sets. Now, we state the conditions that should 
be met in the described secret key sharing framework. 

Definition 1: In the secret key sharing of the proposed 
model, the rate pair (Ri,R 2 ) is an achievable key rate pair if 
for every e > and sufficiently large nt and rib, we have: 

-L-H{K ls ,K lb )>R, - e, -^- H (K 2f ,K 2b )>R 2 - e (1) 

Pr{(i^i / ,if 16 )/(^ 1/ ,^ 16 )}<e,Pr{(A- 2/ ,if 2i) )/(A"2/, J R'2f ) )}<e(2) 
^-I(K lf ,K lb ; K 2f ,X?f , Y 2 J , Yg) < e (3) 

^-I(K 2f ,K 2b ; K lf ,X% , Y?/ , Yg) < e. (4) 

Equation (1) means that the rates i?i and R 2 are the rates 
of the secret keys between user 1 and user 3 and user 2 and 
user 3, respectively. Equation (2) means that each user can 
correctly estimate the related keys. Equations (3) and (4) mean 
that users 1 and 2 effectively have no information about each 
other's secret keys. 

Definition 2: The region containing all achievable secret 
key rate pairs (Ri, R 2 ) is the secret key capacity region. 
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Fig. 1 : Secret key sharing using GDMMAC and BC 

III. Main Results 

Now, the main result of the paper is presented. First, we 
define: 

A nt —A nj, 

(1 = Oi = — 

nf+n b ' nj+n b 

R lf ± a[I(T lf ;Y 3f \T 2f ) - I(T lf ;X 2f ,Y 2f ,T 2fb \T 2f )}+, 

R lfb ±a KT Vi ; X lf Yxf I T v ) - I(T lfb ; X 2f ,Y V ,T 2f ,T 2fb \ T v )] + , 

R lb = a[J(T«; Fib) - /(Tit,; Y 2b , T 2b )} + , 

R 2f A a [I(T 2f ;Y 3f \T lf ) - I(T 2f ;X lf ,Y lf ,T lfb \T lf )}+, 

R 2 fb=a \I(T 2fb ; X 2f ,Y 2/ \T 2f )~ I(T 2fb ; X lf , Y lf ,T lf ,T lfb \ T 2f )} + , 

R 2b = a[I(T 2b ; Y 2b ) - I(T 2b ; Y lb , T lb )] + , 

R 12f 4 a[I(T lf ,T 2f ;Y sf ) - I(T lf ;X 2fy Y 2f ,T 2fb \T 2f )- 

I(T 2f ;X lf ,Y lf ,T lfb \T lf )}+ (5) 

Theorem 1: In the described setup, all rates in the closure 
of the convex hull of the set of all key rate pairs (Ri, R 2 ) that 
satisfy the following region, are achievable: 

Ri > 0, R 2 > 
Ri < Rif + Rifb + Rib-, 
Ri < R^f + Rifb + Rib-, 

Ri + R 2 < R\if + Rifb + Rifb + Ru + Rib, (6) 
subject to the constraints: 

n f I{T lfb ;Y 3f \X lf ,Y lf ,T lf ) < n b I{X 3b ;Y lb ), 
n f I(T 2fb ;Y 3f \X 2fl Y 2f ,T 2f ) < n b I(X 3b ;Y 2 b), (7) 

for random variables taking values in sufficiently large finite 
sets and according to distribution: 

P{tif,t 2 f,x lf ,x 2 f,y lf ,y 2f ,y 3f ,t lfb , t 2fb ,t lb ,t 2b , x 3b , y lb , y 2b ) = 
p{t 1 f)p(t 2 f)p(xif\tif)p(x 2 f\t 2 f)p(y lf ,y 2 f,y: if \x 1 f,x 2 f)x 
p(tifb,t 2 fb\y3f)p(ti b ,t 2b )p{x 3 b\ti b , t 2b )p{y lb , y 2b \x sb ) 

The proof of Theorem 1 is given in Appendix I. Here, 
the justification of the above rates is given. As seen in (6), 
user l's secret key rate consists of three components. The 
first term, Rif, is the rate of the key (-Ki/) that can be 
generated by user 1 and shared between user 1 and user 
3 in the forward direction using only the GDMMAC. The 
second term, Rifb, is the rate that could be generated from 
the correlated observations in the forward direction; meaning 
that the channel outputs of the GDMMAC can be regarded 
as correlated source observations at the users for secret key 
generation. For this purpose, user 3 generates K\f b as a 
function of the received output from GDMMAC for sharing 
with user 1 and the required information should be sent by 
user 3 over the BC in the backward direction. The constraints 
in (7) arise from the fact that the information sent by user 3 
should be subject to rate limitations in the backward direction. 



Indeed, Ki t b is the key that is generated using the correlated 
observation in the forward direction between users 1 and 3, 
however, the required information for this goal is transmitted 
over BC in the backward direction. The third component,i?ib, 
is the rate of the key (Ki b ) that can be shared between users 
1 and 3 using the inherent secrecy of the BC. User 2's key 
rate and the sum rate can be justified in the same way. 

Remark 1: If we cancel the BC by setting X 3b = Yi b = 
Y 2b = Ti b = T 2b = T lfb = T 2fb = <f> in Theorem 1, the 
region reduces to the secrecy rate region of the GDMMAC 
with two confidential messages as discussed in [5] where the 
transmitters are eavesdropper with respect to each other. 

Remark 2: If we cancel the GDMMAC by setting T\f = 
T 2 f = Xif = X 2f = Yi f = Y 2} = Y 3f = Ti fb = T 2fb = <j) 
in Theorem 1, the region reduces to the secrecy rate region 
of the BC with two confidential messages as discussed in [9] 
where the BC's receivers are eavesdroppers with respect to 
each other. 

Remark 3: If we convert the BC to a noiseless public 
channel with unlimited capacity in the backward direction by 
setting Yi b = Y 2b and considering I(X 3b ;Yi b ) as infinity in 
Theorem 1, the region reduces to the secret key rate region of 
the GDMMAC with the backward public channel as in (7). 

IV. Special Case 

In this section, we derive the secret key capacity region for a 
special case. 

Corollary 1: When the GDMMAC and BC inputs and 
outputs form Markov chains as (Xy, Xy ) — Y 2 f — Yy — Y 3 f 
and X 3b ~ Y 2b — Yi b , the secret key capacity region is the set 
of all rate pairs (Ri,R 2 ) that satisfy: 

Ri < I(T lfb ;Y lf \Y 2f ), R 2 < I(X 3b ;Y 2b \Y lb ), 

subject to the constraint: 

I(T lfb ;Y 3f \Y lf ) <I(X 3b ;Yi b ) (8) 

for random variables taking values in sufficiently large finite 
sets and according to the distribution: 

p(xif , x 2f ,y lf ,y 2f ,y sf ,t lfb , x 3b ,y lb ,y 2b ) = p{xif)p(x 2 f)x 
p(yif,y2f,y:if\xif,x 2f )p(t lfb \y 3f )p{x :ib )p(y lb , y 2b \x 3b ) 

The achievability can be inferred from Theorem 1 by substi- 
tuting Ti f = T 2f = T 2fb = Tib = 4>,T lfb = Y 3h T 2b = X 3bl 
and using the above Markov chains. The converse is proved 
in Appendix II. 

In this case, due to Markov chains (Xi f , X 2 A — Y 2 f — Y 3 j 
and (Xif : X 2 f) — Yif — Y 3 f, none of users 1 and 2 can share 
a secret key with user 3 in the forward direction using just 
the GDMMAC. However, after the GDMMAC outputs are 
received in the forward direction by the three users, secret 
key sharing can be established by user 3 through the noisy 
BC. For this purpose, user 3 uses the correlation between the 
received output from the GDMMAC to share a secret key to 
user 1. The required information is sent to user 1 over the 
backward BC by user 3 and the rate constraint in (8) is due to 
this fact. It is evident that no secret key can be shared between 
user 3 and user 2 using GDMMAC outputs due to Markov 
chain Y 2 t — Yit — Y^t. On the other hand, user 3 can agree 



on a secret key with user 2 exploiting the inherent secrecy of 
the backward BC which is in favor of user 2 due to Markov 
chain X 3b — Y 2b — Yi b . With these arguments, achievability of 
the above key capacity region is justified. 

In the following, an example is given to make sense of the 
secret key sharing in the described framework. 

Example T. Consider binary GDMMAC and BC where 
all channel inputs and outputs have alphabets {0, 1}. The 
GDMMAC and BC input-output relationships at time instant 
i are according to: 

Y 2 f t i — Xif t i ■ X 2 f ti , Y\j,i — y 2 ;,i © Ei,i, Ysfj = © E 2t i, 

Y 2bi i = X$ b ,i © Ez,i, Y\ by i = Y 2b ,i © i?4,i, 

in which Ej i is a binary random variable with the distribution 
Pr(%j = 1) = p 3 where < Pj < 0.5 for j = 1, ..,4. The 
random variables Ej ;L for j = 1, ..,4 are independent of each 
other. In this example, it can be seen that the GDMMAC and 
BC inputs and outputs satisfy the same Markov chains as in 
Corollary 1. Hence, no secret key can be shared just using the 
GDMMAC in the forward direction. As it was illustrated in 
the case of Corollary 1, the channel outputs of the GDMMAC 
can be used by user 3 as source observations and secret key 
agreement can be established between users 3 and 1 due to the 
Markov chain Y 2 f— Y\f— Y3/. In fact, the correlation between 
the noises received by users 1 and 3 from GDMMAC is the 
potential to generate secrecy. This necessitates sending the 
required information of the source common randomness from 
user 3 to user 1 and the backward BC is used to send such 
information. It should be noted that due to the Markov chain 
X 3b — Y 2b — Yi b , the backward channel is favorable for user 2 
to generate secrecy. Indeed, the backward channel from user 3 
to user 1 just serves as a public channel with limited capacity. 
In this example, we assume fixed value for the parameter pj 
for j = 1,2,3 and investigate the impact of varying P4 on the 
secret key capacity region. The secret key capacity region is 
shown for six values of P4 in Fig. 2. For P4 = 0, the users 
1 and 2 receive same outputs from the BC and so no secret 
key can be shared between users 2 and 3. In this state, the 
BC channel can be treated as a public channel with limited 
capacity from user 3 to the other users to send the required 
information from user 3 to user 1 in order to key agreement 
using the channel outputs of GDMMAC. As P4 increases, the 
secret key rate between users 3 and 2 would increase as user 1 
receives a more noisy output from BC with respect to user 2's 
received output. On the other hand, increment of P4 worsen the 
backward channel from user 3 to 1 and hence, less information 
can be sent from user 3 to user land this results in reducing the 
secret key rate between users 3 and 1. Therefore, increment 
of P4 has a two-side effect on the secret key capacity region. 
As P4 reaches to 0.5, the backward channel from user 3 to 
user 1 becomes a completely random channel and the secret 
key sharing would be possible just between users 3 and 2. 

V. Conclusion 

The problem of consecutive secret key sharing over a GDM- 
MAC and BC was studied where users 1 and 2 intended to 
share secret keys with user 3 while they were eavesdroppers 
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Fig. 2: The secret key capacity regions for different values of noise p4 

with respect to each other. The inner bound of the secret key 
capacity region was derived. Also, the secret key capacity 
region was obtained for a special case where the GDMMAC 
was in favor of user 1 and the BC was in favor of user 2. 
Also through an example, the bilateral effect of increasing the 
channel noise from user 3 to user 1 was investigated. 

Appendix I 

Proof of Theorem 1 

We fix the distribution to be the same as in Theorem 1. As 
described in Section II, the secret key sharing is established 
in two steps; n/ uses of the GDMMAC and n b uses of the 
BC. In continue, we describe code construction, encoding and 
decoding of the two steps separately and then, the security 
analysis is given. 

First, we consider using the GDMMAC. Users 1 and 2 inde- 
pendently generate typical sequences t™j and t 2 j , respectively, 
each with probability: 

p(t? f ) = mMtm)^) = nrii *>(%,*)• 

The number of the sequences t\ s f and t 2 f f are 2 n f ( - r ' 1 f +r '^ ) 
and 2 nf(r ' 2f+T2 f \ respectively, and they are labeled as: 

t? f {k lf ,V lf )Mf G {l,...,2»/'V>} ) fci / G {1,...,2"^/} 
t? f (k 2f ,k' 2f ),k 2f G {l,...,2 n f r ^},k' 2 G {1,...,2"^/} 
where 

r' lf =I(T lf ; T V , X 2f , Y 2f , T 2fb ye' , r' 2f =I(T 2f ; T lf , X lf , Y lf , T lfb ye> , 

in which e' > can be arbitrarily small. 

For the first step encoding, when a key index k\ / is chosen 
by user 1, an index k[j is randomly selected and then for 
k[f), the channel input x"j is sent according to the 
distribution p(xif\tif). The same is performed by user 2. 

For the first step decoding, user 3 chooses the sequences 
t x j: and t 2 j- which are e\— jointly typical with the received 
y 3 j where E\ = |. User 3 decodes key pair (kif,k 2 f) 
if {t^ f {k 1 f,k[ f ),t 2 ' f {k 2 f,k^ } ),yl s f ) G {P Tlf ,T 2f ,Y 3f ), 

when such (i^ (fci/, fcjj), i 2 £ (fc2/, ^2/)) exists and is unique. 
Otherwise, it declares error. It can be shown that the decoding 
error probability of this step is bounded as: 

Pel f < £ 1 + 2 n/(ri/+r W +r2/+r 2/ _(/ ( T V ;r2 J' ;i ' 3 / ) ^ 4ei " 
+ 2™/ ( r l/+ r i/-( / ( T V ; T 2/ y-ij )-3«l)) + 2 n f (. r 2f+r'2f-(!(T 2 f ;T lf X 3 f )-3ei )) _ 

If we set: 

r lf < I(T lf ;Y 3f \T 2f ) - I(T lf ;X 2f ,Y 2f ,T 2fb \T 2f ), 
r 2f < I(T 2f ;Y 3f \T lf ) - I(T 2 f,X lf ,Y lf ,T lfb \T lf ), 
rif + r 2f < I(T lf ,T 2f ;Y 3f ) - I(T lf ;X 2f ,Y 2f ,T 2fb \T 2f ) 
-I(T 2f ;X lf , Y lf ,T lfb \T lf ), 



then we have: 

By setting e' > 3ei, for example e' = 4ei = |, we choose 
n f sufficiently large that 2™/(- £ '+ 3ei ) < £l , and then P el f < 

4 £l = f . 

At the end of the first step, user 3 generates secret keys of 
the second step as stochastic functions of the channel output 
y^j and sends required information to users 1 and 2 via the 
backward BC. In this step, user 3 generates 2 n t^ T ^^f)+ e ") 
and 2™/( / ( T2 / i '' Y3 /)+ £ ") typical sequences t"j b and t 2 f fb , re- 
spectively, each with probability: 

71/ 

P(*l/6>*2/&) = ]]_P(tlfb,i,t2fb,i)- 

These sequences are labeled using two-layered random bin- 
ning as: 

*i/i,( fc i/f>i k 'ifb, k"f b ), 

fci/i^l,...^"/^/^,^^!,...^"/^},*!^!,...^"/^/*}, 

^2/f)(^2/f>, k 2 f b , k 2 f b ), 

k 2fb e{l, 2"/^/*}, k' 2fb €{l, 2 n t^f>}, k'l fb €{l, 2"/^'/*}, 
where: 

r ifb = I(Tifb'> x if, Yxf\Tif) - I(T 1 f b ;X 2 f,Y 2 f,T 2 f,T 2 f b \T 1 f), 

r'lfb = I(Tif b ;Y 3f \X lf Y lf ,T lf ) + 2e" , 

r'I fb = I(Tif b ;X 2f ,Y 2f ,T 2f ,T 2fb ,T lf ) - e" , 

r 2fb = I(T 2 f b ;X 2 j,Y 2 f\T 2 f) - I(T 2 f b ;X 1 f,Y 1 f,T 1 f,T 1 f b \T 2 f), 

r 2/b = I(T 2fb ;Y 3f \X 2f ,Y 2f ,T 2f ) + 2e", 

r 2fb = I ( T 2fb;X lf ,Y 1 f,T 1 f,T lfb ,T 2f ) - e", 
in which e">0 can be chosen arbitrarily small. It is obvious that 
i~ifb+r-' 1 f b +r"f b = I(T 1 f b ; Y 3 f)+e" and hence, each sequence t"j b 
can be determined if the indices (fci/b, k' 1;fb , k'{ fb ) are known 
and vice versa. The same is true for t 2 j b . Furthermore, user 3 
generates typical sequences and t 2b , each with probability: 

i=l 

The number of sequences t™£ and t 2b are 2 nb{rib+r '^>) and 
2"-b(r 2 b+r 2b ) > respectively, and they are labeled as: 

Q(k lb , k' u ), k lb G {1, 2"*^)}, k' lb G {1, 2"^}, 
Q(k 2b , k' 2b ), k 2b G {1, 2"»^)}, k' 2b G {1, 2"^*}, 

where 

r lb = I(T lb ; Y lb )-I{T lb ; Y 2b , T 2b ),r' lb = I{T lb ; Y 2b , T 2b ) -e'", 
r2b^I(T2 b ;Y 2b )-I(T 2b ■,Y lb ,T lb ),r / 2b ^I(T 2b ■,Y lb ,T lb )-e , '', 

in which s'" > can be arbitrarily small. 

Due to the inequalities in (7), two functions fi and f 2 can be 

defined as: 

/i : 7i6 -> fc'if b , h ■ 7~2 b -> IC' 2fb , 

JC[ fb = {1, .., 2»' r U} ) - {1, 2"/^}, 

where 7ib and 726 are, respectively, the set of 2 nb ( I ( Tlb ' Ylb ^~ £ ^ 
and 2 n »( I{T2b '- Y ^- 6 "^ codewords and t^ 6 - Mapping /i is a 
random partitioning of codewords t"^ into 2 nfri f b equal-sized 
parts. Elements of part i are labeled as (Ti b )i- Mapping f 2 is 
similarly defined. 

Now, we describe the coding scheme of the second step, 
i.e., using the BC in the backward direction. In this step, user 
3 shares two keys with each of users 1 and 2, one derived 



from the correlation of GDMMAC outputs at the users and 
the other derived from the inherent secrecy of the BC. With 
access to sequence y^l , user 3 chooses the codewords t"j b and 
^2fb which are e"— jointly typical with y 3 j. Then, he selects 
the respective index kifb of the codeword t™j b and k 2 f b of the 
codeword t£f b as the second parts of the secret keys with user 
1 and user 2, respectively. For these codewords, the respective 
indices k'y b and fcL b are the required information to be sent 
to user 1 and user 2, respectively, so that each can decode his 
corresponding key. User 3 encodes (fc^ b and k' 2 ^ b ) in such a 
way that he returns t™ b and t 2b , randomly chosen from (Jib)k' lfb 
and (p2b)k' 2Jb 7 respectively, using the mappings /i and f 2 . For 
the selected t™ b (ki b ,k' lb ) and (A: 2 6, fc 2h ), user 3 considers 
the corresponding indices ku, and k 2b as the third parts of 
the keys to be shared with users 1 and 2, respectively. Then 
the channel input x^ b is sent over the BC according to the 
distributions p(x3 b \ti b , fab) by user 3. 

For the second step decoding, user 1, first, decodes the 
sequence t™ b and consequently key index kit, by receiving 
y™ b b . User 1 chooses the sequences t™ b which is e\— jointly 
typical with the received y™ b where e[ = |. User 1 decodes 
key index k lb if (Q(k lb ,k[ b ),y%) e A^(P TlbtYlb ), when 
such t™ b (kib,k' lb ) exists and is unique. Otherwise, it declares 
error. It can be seen that the decoding error probability is 
bounded as: 



PelM < ei + 2 



-nb{s" 



and so, by choosing e'" > e\ and considering n b sufficiently 
large, it can be bounded as: 

PeX t b<^'l = \- 

User 1 considers ku, as the third part of his secret key with 
user 3. After that, user 1 finds the mapping (Ti b )i of codeword 
t™ b and sets fc^ b = i. Now, user 1 decodes sequence t^ b if: 

{t v T b {k-if b , k lfb =i, k lfb ),x lf J , y lf J , t lf J )£AJ, {P Tlfb ,x lf ,Y lf \T lf ), 

when such t^{ b (kifb,k[f b ,k'^ b ) exists and is unique. Other- 
wise, it declares error. For e'{ = f , according to Wyner-Ziv 
problem for multiple sources in (»), it can be seen that the 
decoding error probability of the sequence t 1 j b yields as: 

Pel /6 <e"+2'^ (/(T w b;r ^ |x w ,y W' T v )+£ "" r w 6) =ei'+2~ n ^ (2E ''" e " ) . 

By choosing 2e" > e'{ and considering nf sufficiently large, 
it can be bounded as P el ^ b < 2e'{ = |. After successful 
decoding, user 1 considers k\ /& as the second part of his secret 
key with user 3. By the above arguments, the secret key triple 
(kif, kifb, kib) can be shared between users 1 and 3 and the 
total decoding error probabilities is bounded as: 

Pel < PelJ + Pel,b + Peljb ^| + f + | =£ - 

The same steps can be followed for the secret key triple 
(k 2 f,k 2 f b ,k 2 b) between users 2 and 3. 

Now, we should check the security conditions of definition 
1. We give the proof of (3) and by symmetry, (4) can be 
deduced. As the keys (Kifb, Kib) are shared in the backward 
direction, equation (3) can be rewritten as: 



I(K lf y K lfb ,K lb ;K 2f , X% , Y% , Y^)= I{K lf ;K 2f , g , iff Yg + 
I(K lfb ;K 2f ,X% ,Y 2 / ,Y 2 n b b \K v ,K lb )+I(K lb ;K 2f ,X;? ,Y 2 7 ,Yg \Kif) 



We analyze the three terms separately. Some Markov chains 
useful in the security analysis are given below. These Markov 
chains arise from the coding scheme. 

(Ki f ,K 2f )- «; , x% ) - (y;/ , r 2 y , r 3 y > o) 

(X™ 1 X nf Y nf Y nf )-Y nf -(T nf T nf )~(K' K' )- 

\ If ' 2/ ' 'if ' *2f > 'Sf \ 1 lfb' 1 2 fb> \ lx lfb' JX 2fb> 

(10) 

T nb <k^ k' )-T nb -K' -(V" J X nf Y" f V" f X nj Y nj ) fill 
+ lb (Klb,K lb ) J 2 i) -"-2/6 \ V 1J ' A l/ ' 'if ' V 2f ' ■ A 2J ' Y 2f I i Ll ) 

■' _fT/*V v' 1 / v A s v d f v n f v fl f\ noi 



T 2b b {k 2b ,k' 2b )-T^ -K' lfb - (v"f , x? f , y;>/ , v;y , x;> , y 2 j > (i 2) 



For term A, we have: 



(a) 



I(K lf ; K af ,X% Xf ,Yg ^ < I(Ki f ; T% , X% , Y?/ , Yg ) 

< I (Kif ; T 2f , X 2f , Y 2f , Y 2b , K lfb , K 2fb ) 
^I(K ir X/,X^,Y 2 y,K[f b ,K 2fb ) 

< I(Ki f ; T 2 f , X% , Y 2 f , K'if b , T 2 / b ) 

= I(Ki f ; T 2 j , X 2 f , Y 2 y , T 2 / b )+I(Ki f ; K[ fb \T 2 f , X% , Y 2f s , T 2 / b ) 



n f Y n f v n f T n S , 
± 2f ' A 2j ' 2/ ' ± 2fb I 

T ™/ V n S V n f rp^J I 

± 2f i "J/ ! x 2f ' x 2fb I 



<-2f > *2f 



+ Tlf£ 2 + UfE'i + I 



= H(K lf ) - H(K lf 
= H(Ki f ) - H(T"f 

+H(T?J \Ki f ,T 2 ;,X 2 f,Y 2 /X/ b ) + I 

< H(Ki f )-n f H(T lf \T 2f ,X 2f ,Y 2f ,T 2fb ] 

< -n f H(T lf \T 2f ,Y sf ) + n f e 2 +n f e 3 + I 

< n f e 2 + n f e 3 + I(K[ fb ;T^ , T 2f f , X% , Y 2 J , T^) 
= n f e2+nfe 3 + H(K{f b )-H(K[f b \T^,T 2 J,X^,Y 2 y,T 2 J b ] 
= n f S2 + n fSi + H(K[ }b ) - H{T^ b \T% , T% , X% , Y$ , T&) 
+H(Kifb, K"f b j K[fb, Ti / , T 2 f } , X 2 f , Y 2 f f , T 2 f f b ) 

if) 

< n f E2 + n f e 3 + H{K' lfb ) + H(K lfb ) 
-n f H(Tif b \Ti f ,T 2 f,X 2f ,Y 2 f,T 2 fb) +n f e 4 + n f e 5 

= nfE 2 +nfE 3 -nfH(Ti fb \T lf ,X lf ,Y lf ) + 2nfE" + nf£4+n f E 5 

< rif£ 2 + 7i/£3 + 2n/e" + nfEi + rtf£ 5 

In above equations, (a) follows from the fact that index 
k 2 f is one of the indices of t^j. (b) is due to Markov 
chain (10) and (c) follows from the fact that index k' 2 f b 
is one of the indices of t^j b . To prove (d), the same ap- 
proach as lemma 2 and 3 in (5J can be exploited to show 
n f H(Tif\T 2f ,X 2f ,Y 2 f,T 2 f b ) < H(T?f \T?f , X^ , Y 2 J , T 2 "/ 6 ) + 
n f E2 and H(T™j \Kif, T 2 j , X 2 j , Y 2 j , T 2 J b ) < n f e. (e) is de- 
duced from the reliable decoding condition of kif. (f) can be 
deduced from the same approaches as (d). 
For term B, we have: 



I{Ki 



^l/i>; K 2 f,X 2 i ,x 2 ; , i 2b \n.if , j 
i J (.A 1/6, flyj, ^ 2 fb> M lf ^2f i A 2/ ' Y 2f ' Y 2b > 

{ -I(K^k-K' K' T n/ T n/ X nf Y nf ) 

— l\n-lfb, -"-l/bi JX 2fb> 1 lf < 1 2f ' A 2f '*2f > 

< KK-i tu- K' T nf T nf T nf X" f Y nf ) 

- 1 l n l/i"-"l/ii J 2/6' 1 lf ' 1 2f ' A 2f '2f> 



,Y n 



Xb b 1^1 



,K lb ) 



H(Ki fb )-H(Ki 



Jb 



I K l T n f T n f T n f y n f V n f \ 
A l/i' I 2/i' J l/' J 2/' A 2/' I 2/ I 



< H(Ki fb ) + H(K[ fb ) - H(T? f { \T%,T?j , T# , X% , Y."/ ) 

+ H \ 1 lf b \ K lfb, K lfb> 1 2fb< 1 lf ' 1 2f ' A 2/ ' ^2/ ) 

(6) 

<H(Ki fb )+H(K' lfb )-n f H(T lfb fT y ,T 2/ ,X 2/ ,Y 2/ ,T 2/i) ) +„ /£4 +„ /£5 



= -n f H(T lfb \T lf ,X lf ,Y lf ) + 2n f e" + n /£4 + n f es 

In the above equations, (a) can be deduced from the Markov 
chain (10) and (b) from the same arguments in term A. 

For term C, we have: 

I(K M K v ,X%,Y?/,Yg\K lf ) 
< I(K lb ; K lf ,K 2f ,X% , Y" f , Yg) 

<i(K lb ;V"/ ^ nf v*/ v*/ v«o u> 

(a) 



in Definition 1, there exist random variables according to the 
distribution of Corollary 1 satisfying the mentioned relations. 
We prove the outer bound of R\ . The outer bound of R 2 can be 
deduced using the same approaches. Before launching proof, 
Markov chains are given which are useful in continue: 



■w : Y ' Y 1 Y b PC' 1 
' v 2f i A 2f ' Z 2f ' Z 2b ' rL 2fb> 



(b) 



I(K lb ; Y% , K> 2 fb ) < I(K lb ; Y% ,K' 2fb , T$ ) 
I(K lb ; Yg,T%) = H(K U ) - H(K lb \y£ ) 
H(K lb ) - H{T% \Yg , ) + £T(T£' \k u , Y% , T% ) 



< H(K U ) - n b H(T u \Y 2b , T 2b ) + n b e& + n b e 7 
= -n b H(T lb \Y lb ) + n b e 6 + n b e 7 < n b e 6 + n b e 7 

In the above equations, (a) and (b) can be deduced from 
the Markov chain (11). To prove (b), the same approach as 
lemma 2 and 3 in (9j is exploited to show n b H(T lb \Y 2b ,T 2b ) < 

H(T? b f \Y£,T 2b f ) +n b ee and H(T%\K U ,Y£,T%) < n b s 7 . 
By substituting e" = ^,£j = §,£j = § for i — 2, ..,5 and 
j = 6, 7, the security condition (3) is satisfied as: 

I(K lf ,K lfb , K lb - K 2f ,X% , F 2 y , Yg) < (n f + n b )e. 

To show that the total rate of user l's secret key is the 
sum of the rates r\f,r\fb an d rib, we should prove the 
independency of the keys. When analyzing terms B and C 
of the security condition, we show that: 

I(K lfb ;K lf ,K lfb ) < I(K lfb ;K lf ,K 2f ,K lfb ,X^,Y 2 n /^2 n b b ) 

< 2n/e" + rifEi + rifEs 

I(K lb ;K lf ) < I(K lb ;K lf , K 2f ,X 2f f ,Y 2 /,Y 2 n b ") < n b e 6 + n b e 7 
and hence: 

H(K lf ,K lfb ,K lb ) > H(K lf ) + H(K lfb )+H(K lb )- 

(2n/e" + n/e 4 + n f e s + n b e 6 + n b e 7 ) 

> H(Kif) + H(Kif b ) + H(K U ) - (n f + n b )e, 

and this completes the proof of theorem 1. 
It should be noted that in the code construction of the second 
step, we implicitly assume I(Ti b ;Yi b ) > I(Ti b ;Y 2 b,T 2b ). In 
the case where I(T\ b ; Yi b ) < I (Tib', Y 2b , T 2b ), user 3 randomly 
maps k[f b into a space with 2 nb ^ I ^ Tlb ' Ylb '~ e: ^ elements and 
no secret key is chosen as kib. The same is true about user 
2's codebook. 

Appendix II 
Proof of the converse in Corollary 2 

To derive the outer bound in Corollary 1, it is assumed that 
the keys are produced in two steps as discribed in Section 2. 

Applying Fano's inequality to the corresponding keys at the 
users, for an arbitrary smalle > 0, we obtain: 

H(K lf ,K 2f \Y?/) < n f (^ +eIog(|/Ci / | \IC 2f \ - 1)) 4 n f e 1: 
H(K lb \K lf ,X?j , Y"/ , Y^)<n b (^ + E (log \K lb \- 1)) 4 n b e 2 , 
H(K 2b \K 2f ,X; f f , Y 2 f , Y2)<n b (^ + eQog \IC 2b \- 1)) 4 n b e 3 , 

where |/Ci/| is the cardinality of key set /Ci/ and — > if 
e-> for i= 1,2,3. 

Now, we show that for the secret keys satisfying above 
reliability conditions and the security conditions (3) and (4) 



(K lb ,K 2b )-X%-Y2-Y% 
It is defined: 

, _ 2(n/ + n b )e + rifEi + n b s 2 



(14) 



(n f +n b ) 



We have: 



(nf + n b )Ri_ < H(Kif, Ki b ) + (nf + n b )e 

(a) 

V 2/ > 1 2f 



< H(K lf ,K lb \K 2f ,X 2 l,Y 2 /,Y 2b b ) + 2(n f +n b )£ 



<H(K lf I K 2S , X;/ ,Y 2 y, Y 2 n b b )+H(K^ | K v , K 2f , X^/ , Y% , F" b ) 
-H(K lf \K 2f , Y?/)-H(K lb \K lf ,X% ,Y"f ,Y? b b )+(n f + n b )e' 
<I(K ir Xf\K2f,X%,Y?f)+ 

I(K lb ; X% , Y?/ \K lf , K 2f , X% , Y 2 f , Y" b ) + (n f + n b )e' 
<I(X%;Y?/\X%,Y?/)+ 

I{K lb ,Yg;Xy,Y?/\K lf ,K aI ,X%,Y?/) + (n f + n b )e' 
( = 5 + I(K lb , Y" b ■ Y?/ \Y 2 / ) + (n f + n b )e' 

< J2Zi I(Kn, Y? b \Y;ilX/, + i\Y lf ,\Y 2 n /) + (n f + n b )e' 



(f) 



= E^i I (Kib, Y? b \Yij^l i+ i,Y X f, i \Y 2f J + (nf + n b )e' 
= nfI(Tif b ,Q;Y lf)Q \Y 2f)Q ) + (n f + n b )e' 

where (a) results from the security conditions, (b) from Fano's 
inequalities, (c) from the Markov chain (14), (d) and (e) from 
the Markov chain (13), (f) from the combination of the memo- 
ryless property and Markov chain (13), (g) from the definition 
of the random variable T 1/M 4 K lb , Y$>, Y^ i+1 
and considering the random variable Q which is uniformly 
distributed on {1, 2, N}. 
With the same approach, it can be shown that: 

(n f +n b )R 2 < n b I(X 3b -Y 2b \Y lb ) +2(nf+nb)e+nfei+n h e 3 . 

In the following, the rate constraint in corollary 1 is proved. 

n b I(X sb - Y lb ) > I{X£;Yg) > H??/ ;Yg) 

> HY 3 n / ; Yg) + H(K, b \K,f,Xy f , Y"/ , Y" b ) - n b e 2 

® /(y 3 7 ; Y^ ) + H(K U | Y; 1 / , Y" b ) - n b e 2 

> 7(r 3 y ; Y$ ,K lb )- I(Y?/ ; Yg ,K lb )- n b e 2 

®I(K lb ,Y%-Xf\Y??)-n b e2 

- iZi HKib, Ygi Y 3U \Y?/, y 3 "/ i+1 ) - n b e 2 

= 2ZZiH(Y 3 fAY 1Sa )-Y.ZiH(Y 3S ,\Yiy , Y^ +1 ,K lb , Y^)-n b e 2 

= E2i I(Kib, Y£,Y*£,Y?/,w Y af,i \ Y if,i) - r*e a 
= nfI(Ti fb ,Q;Y 3f>Q \Y lf>Q ) - n b e 2 

where (a) results from Fano's inequality, (b) and (c) from 
the Markov chain (13) and (d) from the combination of the 
memoryless property and Markov chain (13). 
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